From 4513807824f14b1b26d33eb2b2b4db26c2c5091a Mon Sep 17 00:00:00 2001
From: admin <hugues@ruelle.fr>
Date: Mon, 16 Feb 2026 01:23:13 +0000
Subject: [PATCH] Ajouter securite.yml

---
 securite.yml | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 securite.yml

diff --git a/securite.yml b/securite.yml
new file mode 100644
index 0000000..2d652ff
--- /dev/null
+++ b/securite.yml
@@ -0,0 +1,89 @@
+---
+- name: Sécurité Simple - Réseau local libre, extérieur protégé
+  hosts: all
+  become: yes
+  
+  tasks:
+    - name: "=== Installation ==="
+      apt:
+        name:
+          - ufw
+          - fail2ban
+        state: present
+        update_cache: yes
+    
+    - name: "=== FIREWALL ==="
+      debug:
+        msg: "Configuration du firewall..."
+    
+    - name: Règles par défaut UFW
+      ufw:
+        default: "{{ item.direction }}"
+        direction: "{{ item.type }}"
+      loop:
+        - { direction: 'deny', type: 'incoming' }
+        - { direction: 'allow', type: 'outgoing' }
+    
+    - name: SSH autorisé (pour ne pas se bloquer)
+      ufw:
+        rule: allow
+        port: '22'
+        proto: tcp
+    
+    - name: Tout le réseau local autorisé
+      ufw:
+        rule: allow
+        from_ip: 192.168.123.0/24
+    
+    - name: Activer UFW
+      ufw:
+        state: enabled
+    
+    - name: "=== FAIL2BAN ==="
+      debug:
+        msg: "Configuration de Fail2ban..."
+    
+    - name: Configuration Fail2ban simple
+      copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+          [DEFAULT]
+          bantime = 3600
+          findtime = 600
+          maxretry = 5
+          
+          [sshd]
+          enabled = true
+          port = ssh
+          logpath = /var/log/auth.log
+          maxretry = 3
+        mode: '0644'
+    
+    - name: Démarrer Fail2ban
+      systemd:
+        name: fail2ban
+        state: restarted
+        enabled: yes
+    
+    - name: "=== VÉRIFICATION ==="
+      command: ufw status
+      register: fw_status
+      changed_when: false
+    
+    - name: Afficher config
+      debug:
+        var: fw_status.stdout_lines
+    
+    - name: "=== RÉSUMÉ ==="
+      debug:
+        msg:
+          - "================================================"
+          - "✓ FIREWALL"
+          - "  Depuis 192.168.123.0/24 → TOUS LES PORTS OK"
+          - "  Depuis Internet → BLOQUÉ"
+          - ""
+          - "✓ FAIL2BAN"
+          - "  3 tentatives SSH ratées → Ban 1h"
+          - ""
+          - "✓ VOUS ÊTES PROTÉGÉ !"
+          - "================================================"
\ No newline at end of file